White Paper. Citrix Solutions for Complying with PCI-DSS. Ensuring Protection of Web Applications and Privacy of Cardholder Information

Transcription

1 White Paper Citrix Solutions for Complying with PCI-DSS Ensuring Protection of Web Applications and Privacy of Cardholder Information

2 Table of Contents Overview... 3 A Tale of Abandonment, Missed Opportunities and Fraud... 3 Guarding Against Credit Card Fraud... 4 Whom Does PCI-DSS Apply to?... 4 What are the Elements of PCI-DSS?... 4 Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Web Application Controls Specifi c to PCI-DSS... 5 Recommendations... 7 Citrix Solutions... 7

3 Overview The Payment Card Industry Data Security Standard (PCI-DSS) is a global standard governed by the major credit card companies. The standard comprises a set of directives for entities that handle credit cards, with the goal of reducing fraud. PCI-DSS presents the framework for protecting sensitive cardholder and authentication data, providing fi nancial benefi ts to organisations that are in compliance. Citrix Application Firewall, along with other Citrix solutions, provide a strong platform for compliance with PCI-DSS application security requirements and overall protection of critical Web applications. A Tale of Abandonment, Missed Opportunities and Fraud 40% of shoppers have abandoned an online transaction due to concerns over credit card fraud. 32% of survey respondents would spend a greater percentage of their holiday shopping budget online if they had greater trust in the retailer (buysafe, 2006). A recent Forrester Research report predicted online holiday spending would rise by 23% in One in three (30%) of online adults, however, said security fears compelled them to shop less online or not at all during the 2006 holiday season. One in fi ve (20%) online adults said Internet security had them very concerned or extremely concerned during the 2006 holiday season. Those concerns ran highest among those 55 and older (31% said they were very or extremely concerned) (Business Software Alliance (BSA), 2006). More than half of all Australians say their top security fears are about people accessing or misusing their personal details as well as credit/debit card fraud. (Australian Associated Press, 2006). Companies spent nearly $5 million on average, and 30% more, in 2006 than in 2005 to recover when corporate data was lost or stolen, according to a new study from the Poneman Institute. Gartner Group (2006) predicted online retailers would lose nearly $500 million in sales during the 2006 holiday shopping season due to fraud and suspect transactions. Fear of credit card fraud keeps consumers from utilising Web applications for fi nancial transactions and results in reduced sales for retailers. Lack of trust in the Web requires direct human interaction for all sales, resulting in higher transaction costs. Fraud-related costs are a signifi cant drag on profi tability and productivity for fi nancial institutions. Any way you look at it, credit card fraud erodes customer confi dence, increases costs and diminishes the benefi ts of ubiquitous e-commerce. It s a problem recognised by the credit card companies and policed by auditors through PCI-DSS v1.1. 3

4 Guarding Against Credit Card Fraud On September 7, 2006, the leading global Payment Card Industry (PCI) vendors offi cially joined together to form the PCI Security Standards Council. This council, comprised of American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, is focused on defi ning security requirements that protect sensitive cardholder data. First introduced in January 2005, the PCI-DSS provides a single global security standard that provides specifi c technical guidance for protecting cardholder interests. The fi rst initiative of the new PCI Security Standards Council was to update this standard. Three new signifi cant points have been addressed in PCI-DSS v1.1: The unifi cation of PCI vendors to develop a single set of global requirements Specifi c recognition of the unique security needs of Web applications Increased requirements for hosting providers This whitepaper clarifi es the newly mandated PCI-DSS requirements for protecting sensitive cardholder data delivered through Web applications. Whom does PCI-DSS apply to? The PCI-DSS standard is aimed at online merchants, fi nancial institutions, credit and debit card processors, card companies and endpoint POS terminals. According to the v1.1 specifi cation: PCI-DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI-DSS requirements do not apply. If your organisation directly interacts with, or supports, online credit card transactions via a Web-based application or interface, PCI requirements must be complied with. What are the Elements of PCI-DSS? The PCI-DSS defi nes 12 high-level requirements in the following six categories: Build and Maintain a Secure Network Requirement 1: Install and maintain a fi rewall confi guration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security PCI-DSS presents the framework and standard for protecting cardholder and sensitive authentication data with the ultimate goal of limiting access, controlling fraud and providing fi nancial benefi ts to organisations that are in compliance. 4

5 Web Application Controls Specifi c to PCI-DSS To support the specifi c interests and unique risks associated with Web applications, PCI-DSS v1.1 expands on existing requirements and introduces new requirements. The following considerations highlight several of the requirements and proposed controls specifi c to web application environments Justifi cation and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). The PCI-DSS mandates that organisations build and maintain a secure network by using core Web protocols and VPN technologies to deliver and secure cardholder data across networks. Citrix Application Firewall and Citrix NetScaler appliances restrict access to applications and data by allowing only the use of approved protocols and methods. 3.3 Mask PAN when displayed (the fi rst six and last four digits are the maximum number of digits to be displayed). Citrix Application Firewall is easily confi gured to mask individual and multiple Primary Account Numbers. Citrix Application Firewall prevents the leakage of sensitive cardholder data, regardless of programmer oversight, logic fl aws or targeted attacks. It masks or blocks the PAN, preventing it from ever being returned to the user, maliciously or accidentally. 3.5 Protect encryption keys used for encryption of cardholder data against both disclosure and misuse Restrict access to keys to the fewest number of custodians necessary Store keys securely in the fewest possible locations and forms. The protection of encryption keys is paramount to maintaining the confi dentiality of encrypted cardholder data. If an encryption key can be uncovered, all previous, current and future transactions that use the key can be decrypted and disclosed as clear text. Citrix NetScaler, Citrix Application Firewall and Citrix Application Gateway solutions securely maintain the certifi cates and encryption keys used for SSL/TLS, and can SSL-enable applications that were not designed to use secure network protocols. Cryptographic protection standards such as FIPS have proven to be a best practice for fi nancial organisations that require strong key protection, and will be a consideration in PCI-DSS compliance. All Citrix appliances are available in FIPS compliant versions. 4.1 Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. In addition to the protection of encryption keys, Citrix Application Firewall inspects the contents of SSL/TLSencrypted sessions, ensuring session validity and blocking attacks -Network fi rewalls and Intrusion Protection Systems (IPS) cannot see inside an SSL session. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. When using technologies that provide direct access to applications, especially client/server applications, it is imperative that the client machine be free from malware. Before access is allowed, Citrix SmartAccess automatically assures that minimum defi ned client security requirements have been met, contextually allowing application usage by clients that have been determined through policy to be trusted. 5

6 6.5 Develop all Web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following: Unvalidated input Broken access control (for example, malicious use of user IDs) Broken authentication and session management (use of account credentials and session cookies) Cross-site scripting (XSS) attacks Buffer overfl ows Injection fl aws (for example, structured query language (SQL) injection) Improper error handling Insecure storage Denial of service Insecure confi guration management Secure coding practices and code review are core elements of a security-oriented application development lifecycle. However, they re not enough. The threat vectors and application-layer attacks presented in Section 6 are common vulnerabilities that competent application developers have known how to prevent for years. But these common vulnerabilities continue to be regularly discovered even in major commercial applications. Human error, rushed patches, application interoperability, new attack methods and constantly evolving best practices make it highly likely that a critical vulnerability exists within a complex and highly customised Web application. And all it takes is one vulnerability to cause devastating data loss and compromise. 6.6 Ensure that all Web-facing applications are protected against known attacks by applying either of the following methods: Having all custom application code reviewed for common vulnerabilities by an organisation that specialises in application security Installing an application layer fi rewall in front of Web-facing applications. Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement. Today s highly dynamic and complex Web applications require the protection of Citrix Application Firewall. While code review is always recommended, it is important to remember that the results of a code review are only valid until: a) the code changes in any way; or b) a new attack vector leads to an update of code review best practices. The active protection afforded by Citrix Application Firewall prevents both known and unknown attacks, and is proven to be the most effi cient and cost-effective means for protecting custom Web applications. This is why the PCI-DSS specifi cation is mandating the implementation of an application-layer fi rewall as of June 30, 2008 and recommending it as a best practice today. In addition, the requirements for strong access control and audit information presented in Requirement 8: Assign a unique ID to each person with computer access can be fulfi lled and enforced through the implementation of Citrix Application Firewall. Citrix Application Firewall blocks these common vulnerabilities in both well-characterised and custom applications, complementing and enforcing secure coding best practices. Since Citrix Application Firewall only allows known good behavior, even new attacks are blocked without requiring new signatures or updates. Your data remains protected while other vendors scramble to release patches and hotfi xes. 6

7 Recommendations Organisations subject to compliance with PCI-DSS v1.1 should take the following steps to ensure conformance of Web application interests: Review the objectives of the PCI Security Standards Council and the PCI-DSS standard at pcisecuritystandards.org/ Discuss governance, risk and compliance objectives with auditors, risk management and security offi cers, businessline management, Information Technology management and senior organisational management Institute recommended best practices for compliance with PCI-DSS requirements, including the installation of Citrix Application Firewall in front of Web-facing applications Perform active assessments and review audit logs to assure that policy objectives are being complied with Citrix Application Firewall Citrix Application Firewall is a high-performance, hardened security appliance that blocks all known and unknown attacks against Web and Web Services applications. Citrix Application Firewall enforces a positive security model that permits only correct application behavior, without relying on attack signatures. Application Firewall analyses all bi-directional traffi c, including SSL-encrypted communications, protecting against 16 classes of Web application vulnerabilities without any modifi cation to applications. Citrix Application Firewall is available as a family of purpose-built appliances that meet any deployment need, and in two software editions offering upgrade options as threats, applications and defenses become more complex. Citrix NetScaler Citrix NetScaler optimises the delivery of web applications improving performance up to 5x, increasing security, and increasing web server capacity with lowerw costs ensuring the best total cost of ownership (TCO), security, availability, and performance for web applications. Citrix NetScaler combines high-speed load balancing and content switching with state-ofthe-art application acceleration, layer 4-7 traffi c management, data compression, static and dynamic content caching, SSL acceleration, numerous network optimisations, and robust application security into a single, tightly integrated solution. Deployed in front of both web- and application servers, Citrix NetScaler signifi cantly reduces processing overhead, reducing hardware and compresses data, reducing bandwidth costs. Citrix Access Gateway Citrix Access Gateway products are universal SSL VPN appliances providing a secure, always-on, single pointof-access to an organisation s applications and data. A comprehensive range of appliances and editions allow Access Gateway to meet the needs of any size organisation, from small businesses to the most demanding global enterprises. Application Firewall is deployable alone or with Citrix NetScaler application delivery systems to deliver the combined benefi ts of application optimisation and comprehensive protection. 7

8 Citrix Worldwide Worldwide Headquarters Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309, USA Tel: +1 (800) Tel: +1 (954) European Headquarters Citrix Systems International GmbH Rheinweg Schaffhausen Switzerland Tel: +41 (0) European Subsidiaries Citrix Systems GmbH Am Söldnermoos Hallbergmoos/München Germany Tel: +49 (0) Citrix Systèmes SARL 7, place de la Défense Paris la Défense 4 Cedex France Tel: +33 (0) Citrix Systems UK Limited Chalfont Park House, Chalfont Park Chalfont St. Peter Gerrards Cross Buckinghamshire, SL9 0DZ United Kingdom Tel: +44 (0) Notice The information in this publication is subject to change without notice. THIS PUBLICATION IS PROVIDED AS IS WITHOUT WARRANTIES OF ANY KIND, EXPRESSED OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. CITRIX SYSTEMS, INC. ( CITRIX ), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. THE USE CASES IN THIS PAPER ARE PROVIDED ONLY AS POTENTIAL EXAMPLES AND YOUR ACTUAL COSTS AND RESULTS MAY VARY. Citrix Systems Benelux Clarissenhof 3c, 4133 AB Vianen Netherlands Tel: +31 (347) Citrix Systems Nordic Kalkbrænderiløbskaj Copenhagen Ø Denmark Tel: Asia Pacifi c About Citrix Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than 200,000 organisations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security, and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 98% of the Fortune Global 500, as well as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more than 100 countries. Annual revenue in 2006 was $1.1 billion Citrix Systems, Inc. All rights reserved. Citrix, NetScaler, Citrix Application Firewall, Citrix SmartAccess and Citrix Application Gateway are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Offi ce and in other countries. UNIX is a registered trademark of The Open Group in the U.S. and other countries. Microsoft Windows and Windows Server are registered trademarks of Microsoft Corporation in the U.S. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. EM-UK /07 Citrix Systems Hong Kong Ltd. Suite 3201, 32nd Floor One International Finance Centre 1 Harbour View Street Central, Hong Kong Tel: Citrix Online Division 5385 Hollister Avenue Santa Barbara, CA Tel: +1 (805)